PwnKit local privilege escalation in polkit pkexec

This repository is a standalone local privilege escalation exploit project for CVE-2021-4034 (PwnKit), not part of a larger exploitation framework. The repository contains one primary code file, exploit/pwnkit.py, plus supporting Markdown documentation in docs/analysis describing root cause, exploitation chain, and timeline. The Python script is the main entry point and acts as a wrapper/orchestrator that prepares a temporary working directory, generates C payload code for a malicious gconv shared object, compiles helper components, and triggers vulnerable /usr/bin/pkexec with a crafted empty argv/environment arrangement to exploit the pkexec out-of-bounds read/write condition. The exploit targets vulnerable polkit/pkexec installations on Linux (documented as polkit 0.105-31 and earlier). Its core capability is local root privilege escalation by abusing pkexec's argc==0 handling and reintroducing GCONV_PATH after SUID environment sanitization, causing glibc/iconv to load an attacker-controlled shared library whose gconv_init() executes as root. The script is operational rather than a minimal PoC because it supports multiple post-exploitation payload modes: interactive root shell, id/whoami proof-of-execution, arbitrary custom command execution, creation of a persistent SUID bash backdoor at /tmp/.sh, addition of a root-capable user to /etc/passwd, and a reverse shell callback to a supplied LHOST/LPORT. The reverse shell defaults to 127.0.0.1:4444 if not overridden. Artifacts and proof files are written under /tmp, including /tmp/pwnkit_id.txt, /tmp/pwnkit_root_test, and /tmp/pwnkit_backdoor. Repository structure is simple: LICENSE, README.md, three analysis documents under docs/analysis, and the exploit script under exploit/. The documentation is extensive and explains the vulnerable binary (/usr/bin/pkexec), the gconv abuse chain (GCONV_PATH=., gconv-modules, pwnkit.so), and expected filesystem artifacts. Overall, the repository's purpose is to provide an academically documented but functional multi-payload Linux LPE exploit for PwnKit.

This repository is a compact local privilege escalation exploit for PwnKit (CVE-2021-4034) targeting vulnerable Linux systems running polkit's pkexec as setuid-root. It contains one C source file, PwnKit.c, and a README with build and usage instructions. The code is a real exploit, not merely a detector. Repository structure is minimal: PwnKit.c implements the full exploit chain, while README.md documents compilation, execution, mitigation, and references. The binary is intended to be compiled as a shared object with a custom ELF entry point (entry) and position-independent code, allowing the same file to act both as the launcher and as the malicious gconv module. Core exploit behavior: the entry function creates attacker-controlled filesystem artifacts in the current directory, including GCONV_PATH=. and .pkexec, writes a crafted .pkexec/gconv-modules file, and symlinks the running binary to .pkexec/pkexec.so. It then invokes pkexec with a specially crafted environment: .pkexec, PATH=GCONV_PATH=., CHARSET=pkexec, SHELL=pkexec, and optionally CMD=<user command>. This abuses pkexec's vulnerable environment handling and gconv module loading to cause the binary's gconv_init() function to execute with elevated privileges. Privilege escalation and payload: once loaded, gconv_init() redirects stderr, retrieves the CMD environment variable, calls setresuid(0,0,0) and setresgid(0,0,0), removes the temporary exploit artifacts, and then either executes /bin/sh -c <cmd> as root or spawns an interactive root shell via /bin/bash -i, falling back to /bin/sh. This makes the exploit operational rather than a bare proof of concept. Notable implementation details include a cleanup routine using nftw/remove to recursively delete the created directories, a child process that monitors pkexec stderr for 'pkexec --version' to infer a patched target and print a failure message, and support for both 64-bit and 32-bit ELF interpreter paths via .interp section definitions. There are no remote network callbacks or C2 endpoints in the exploit itself. The attack vector is strictly local. Fingerprintable artifacts are primarily filesystem paths and executable targets used during exploitation, especially /usr/bin/pkexec, /proc/self/exe, .pkexec/gconv-modules, and the crafted GCONV_PATH-related directories/files.

This repository is a small standalone exploit and educational analysis package for CVE-2021-4034 (PwnKit), a local privilege escalation flaw in Polkit's SUID-root pkexec on Linux. The repo contains 8 files: one operational exploit script (pwnkit.sh), two educational C demos showing vulnerable and patched logic, and several Markdown documents covering technical analysis, root cause, and mitigation. The main exploit capability is in pwnkit.sh. It is a local file-based privilege escalation script, not a remote exploit. The script first checks whether the user is already root, then verifies that /usr/bin/pkexec exists and still has the SUID bit set. It creates a temporary staging directory under /tmp, writes a malicious C source file, and compiles it with gcc into a shared object payload. That payload defines gconv_init(), which sets UID/GID to 0 and execs /bin/sh, yielding an interactive root shell. The script then prepares a fake gconv environment by writing gconv-modules, creating a crafted GCONV_PATH=.-named directory, copying /usr/bin/true into a specially named path, exporting GCONV_PATH/PATH/LC_ALL, and finally invoking pkexec. If successful, pkexec loads the attacker-controlled module path and the payload executes as root. The exploit is operational rather than just theoretical because it includes a working payload and staging logic, but it is still basic and somewhat hardcoded. It requires local execution, a vulnerable pkexec installation, SUID still enabled, gcc present, and a writable temporary directory. The provided result is an interactive root shell. The two C files under source-codes are not the exploit used by the script; they are educational demonstrations. vulnerable_pkexec_demo.c illustrates the argc==0 / argv[1] out-of-bounds condition and how argv/envp adjacency can corrupt environment pointers. patched_pkexec_demo.c shows the defensive fix pattern by validating argc and bounds before dereferencing argv. These files help explain the vulnerability mechanics but do not themselves implement the full privilege escalation chain. There are no network callbacks, C2 endpoints, or remote targets in the exploit code. The notable fingerprintable artifacts are local paths and environment variables: /usr/bin/pkexec, /bin/sh, /tmp/pwnkit_$$, generated files pwnkit.c and pwnkit.so, gconv-modules, the crafted GCONV_PATH=. directory/value, and modified PATH/LC_ALL. README also includes repository and reference URLs, but these are documentation artifacts rather than runtime exploit infrastructure. Overall, the repository's purpose is twofold: provide a simple local PoC/operational exploit for PwnKit and document the vulnerability's root cause, exploitation chain, and mitigation guidance for researchers and defenders.

This repository is a compact self-contained local privilege escalation exploit for CVE-2021-4034 (PwnKit), targeting vulnerable polkit pkexec installations on Linux. The repository contains 5 files: a C exploit source (PwnKit.c), a helper shell script (PwnKit.sh) that downloads and runs a prebuilt binary, a Makefile for building 32-bit and 64-bit shared-object style binaries, a README with usage instructions, and a license. The main exploit logic is in PwnKit.c. It is compiled as a shared object with a custom entry point and embeds an ELF interpreter path for either amd64 or i386. At runtime, it creates a malicious gconv environment using the directories/files GCONV_PATH=., GCONV_PATH=./.pkexec, .pkexec, and .pkexec/gconv-modules, then symlinks its own executable to .pkexec/pkexec.so. It invokes pkexec with crafted environment variables (including PATH=GCONV_PATH=., CHARSET=pkexec, and SHELL=pkexec) to trigger the vulnerable code path. When the malicious gconv module is initialized via gconv_init(), the code calls setresuid(0,0,0) and setresgid(0,0,0), cleans up the temporary files, and launches either an interactive root shell or a root command supplied through the CMD environment variable. The exploit is clearly functional rather than merely demonstrative: it includes cleanup logic, fallback execution paths, support for both interactive and single-command modes, and both 32-bit and 64-bit build targets. There are no network C2 features or remote targets in the exploit itself; the attack vector is strictly local. The only network-related observables are raw.githubusercontent.com URLs used by the helper script and README examples to fetch the compiled exploit. Overall, this is an operational local LPE exploit designed to give immediate root shell/command execution on unpatched Linux systems vulnerable to CVE-2021-4034.

This repository is a compact local privilege escalation exploit for CVE-2021-4034 (PwnKit) targeting vulnerable polkit/pkexec installations on Linux. It is not part of a larger exploit framework. The repo contains two C source files, a Makefile, and a short README. Structure and purpose: - exploit_pwnkit.c: launcher binary. It invokes /usr/bin/pkexec with no arguments and a crafted environment designed to trigger the PwnKit bug and force loading of a malicious gconv module. - pwnkit.c: malicious gconv shared library. Its gconv_init() function escalates privileges with setuid(0)/setgid(0) and executes /bin/sh, yielding a root shell. - Makefile: builds the shared object (pwnkit.so), the launcher (exploit), creates gconv-modules, and prepares the GCONV_PATH=. directory structure needed for exploitation. - README.md: brief note stating the repository is for academic practice around CVE-2021-4034. Exploit flow: 1. Build pwnkit.so from pwnkit.c and exploit from exploit_pwnkit.c. 2. Create a gconv-modules file mapping UTF-8 to the attacker-controlled PWNKIT converter. 3. Create the special GCONV_PATH=. directory and copy a file into the expected crafted path. 4. Run the exploit binary, which executes pkexec with a malicious environment. 5. Vulnerable pkexec loads the attacker-controlled gconv module. 6. gconv_init() runs as root, sets UID/GID to 0, and spawns /bin/sh. Capabilities: - Local exploitation only; no network behavior is present. - Privilege escalation from local user to root. - Spawns an interactive root shell as the payload. There are no external network endpoints, C2 addresses, or remote targets in the code. All observable endpoints are local filesystem paths and environment-based artifacts used to exploit pkexec's gconv loading behavior.

This repository is a small, focused exploit project for CVE-2021-4034 (PwnKit), containing one primary code file and several markdown analysis documents. The only executable exploit code is exploit/pwnkit.py, a Python 3 wrapper that automates exploitation of the local polkit/pkexec privilege-escalation flaw by generating C payload code, compiling a malicious gconv shared object, preparing the required gconv-modules/GCONV_PATH staging, and invoking the vulnerable /usr/bin/pkexec path with a crafted argc==0 execution context. Repository structure: LICENSE, README.md, three docs/analysis markdown files, and exploit/pwnkit.py. The docs are explanatory only: 01-root-cause.md explains the argv/envp out-of-bounds read/write in pkexec; 02-exploitation-chain.md walks through the helper binary, environment layout, GCONV_PATH abuse, and gconv_init() execution; 03-timeline.md documents disclosure and patch history. No framework affiliation is evident. Exploit capabilities: the Python script is an operational local privilege-escalation tool rather than a detector. It supports multiple payload modes selected by CLI arguments: shell, id, whoami, backdoor_suid, add_root_user, reverse_shell, and custom. Based on the visible code and README, these payloads can spawn /bin/sh as root, run /usr/bin/id and /usr/bin/whoami and save output to /tmp files, create a persistent SUID bash backdoor at /tmp/.sh, modify /etc/passwd to add a root-capable user, connect back to an attacker-controlled host/port, or execute arbitrary commands as root. The script also includes password-hash generation for the user-creation payload and uses a temporary working directory for staging. Targeting: the exploit targets Linux systems with vulnerable polkit/pkexec versions (documented as 0.105-31 and earlier). It requires local code execution as an unprivileged user and a vulnerable SUID /usr/bin/pkexec binary. Reverse shell mode adds a network callback component, but the core exploit is local. Notable fingerprintable artifacts/endpoints include /usr/bin/pkexec, /bin/sh, /bin/bash, /etc/passwd, /tmp/.sh, /tmp/pwnkit_id.txt, /tmp/pwnkit_root_test, /tmp/pwnkit_backdoor, gconv-modules, pwnkit.so, and the crafted GCONV_PATH=. directory/path. Network observables are limited to the reverse shell callback parameters, with defaults of 127.0.0.1:4444 in code and an example 192.168.1.10:4444 in the README. Overall, this is a real, multi-payload local root exploit with academic documentation around it. It is more than a bare PoC because it automates setup and offers several post-exploitation options, but it is not part of a larger exploitation framework.

Repository contains a single-file local privilege escalation exploit for CVE-2021-4034 (Polkit pkexec, aka PwnKit). Structure: - README.md: Describes CVE-2021-4034 and provides basic run instructions. - Z3R0_polkitLPE.sh: Bash driver that generates/compiles two C programs and triggers the exploit. Exploit flow (Z3R0_polkitLPE.sh): 1) Generates zero.c implementing a malicious gconv module (zero.so). Its gconv_init() calls setuid(0)/setgid(0) and execve("/bin/bash") to yield a root shell. 2) Writes a gconv-modules file registering a fake charset (ZERO) mapped to the attacker module. 3) Creates a specially named directory 'GCONV_PATH=.' and places/copies the shared object in a path intended to be discovered by gconv when pkexec is invoked. 4) Generates and compiles zero_exploit.c, a minimal launcher that execve()'s /usr/bin/pkexec with a crafted envp (including "PATH=GCONV_PATH=.", "CHARSET=ZERO", and "GIO_USE_VFS=") to trigger pkexec’s unsafe environment handling and load the malicious gconv module. 5) Executes ./zero_exploit, resulting in a root shell on vulnerable systems. No network communication is present; the exploit is purely local and targets the pkexec binary at /usr/bin/pkexec.

Repository is a small, self-contained local privilege escalation exploit for CVE-2021-4034 (PwnKit) targeting Polkit's pkexec on x86_64 Linux. Structure/purpose: - exploit.c: Main exploit. Prepares a malicious gconv conversion module environment on disk, then calls execve("/usr/bin/pkexec", argv={NULL}, envp=crafted) to trigger the pkexec argc==0/environment handling bug and force loading of the attacker-controlled gconv module. - shell.asm: NASM x86_64 payload implementing gconv entrypoints (gconv, gconv_init). In gconv_init it performs syscalls to setgid(0) (106) and setuid(0) (105), then execve("/bin/sh", ["/bin/sh", NULL], NULL) to spawn a root shell. - Makefile: Builds shell.asm into a stripped shared object (shell.so), converts it into a C header via xxd -i (shell_payload.h), then compiles exploit.c into the final ./exploit binary. clean removes generated artifacts and the created directories. - README.md: Explains CVE, tested Ubuntu/Polkit versions, build/run instructions, and mitigation. Exploit capabilities: - Local privilege escalation to root (no network component). - Drops/creates on-disk artifacts (directories and gconv configuration) and writes an embedded shared object payload. - Executes pkexec with a crafted environment to load the malicious gconv module and obtain a root shell. No network endpoints (URLs/IPs) are used by the exploit code; the only external reference is a Qualys advisory link in the README.

Repository contains a self-contained local privilege escalation exploit for CVE-2021-4034 (Polkit pkexec “PwnKit”). Structure/purpose: - PwnKit.c: Core exploit implemented as a shared object with a custom entry point (linked with -Wl,-e,entry). It prepares a malicious gconv module setup in the current working directory (creates directory named "GCONV_PATH=.", creates .pkexec/, writes .pkexec/gconv-modules, and symlinks itself to .pkexec/pkexec.so). It then execs pkexec with a crafted environment (PATH=GCONV_PATH=., CHARSET=pkexec, SHELL=pkexec, optional CMD=...) to coerce pkexec into loading the attacker-controlled gconv module. - gconv_init() in PwnKit.c: Payload routine executed when the module is loaded. It sets real/effective/saved UID and GID to 0 (setresuid/setresgid), cleans up created artifacts (rmrf on "GCONV_PATH=." and ".pkexec"), then spawns a root shell (/bin/bash -i, fallback /bin/sh) or executes a single command via /bin/sh -c $CMD. - Makefile: Builds 64-bit and 32-bit variants as shared objects (PwnKit, PwnKit32). - PwnKit.sh: Convenience dropper that downloads a prebuilt binary from raw.githubusercontent.com, marks it executable, runs it, and attempts to delete it shortly after. - README.md: Usage instructions including a curl|sh one-liner and manual steps. Exploit capabilities: - Local privilege escalation to root on vulnerable systems with pkexec installed/setuid. - Arbitrary command execution as root (via argument that becomes CMD=... in the environment) or interactive root shell. - Basic failure detection/cleanup: a forked child monitors stderr output; if it sees "pkexec --version" at the start (typical patched behavior), it prints a failure message and removes created directories. Notable observables: - Files/directories created in the working directory: "GCONV_PATH=.", ".pkexec/", ".pkexec/gconv-modules", ".pkexec/pkexec.so". - Network retrieval endpoints in the helper script/README: raw GitHub URLs for PwnKit and PwnKit.sh. Overall, this is an operational LPE exploit (not just detection) that directly delivers a root shell/command execution on vulnerable Linux distributions.

Repository contains a self-contained local privilege escalation exploit for CVE-2021-4034 (polkit pkexec “PwnKit”). Structure: - PwnKit.c: Core exploit implemented as a shared object with a custom entry point (linked with -Wl,-e,entry). It crafts a malicious gconv module setup by creating a directory literally named 'GCONV_PATH=.' and a '.pkexec' directory containing a 'gconv-modules' file, then symlinks its own binary to '.pkexec/pkexec.so'. It executes pkexec with a controlled environment (PATH=GCONV_PATH=., CHARSET=pkexec, SHELL=pkexec, optional CMD=...) to trigger gconv loading. In gconv_init(), it sets UID/GID to 0 and executes an interactive root shell (/bin/bash -i, fallback /bin/sh) or runs a supplied command via /bin/sh -c. - PwnKit.sh: Convenience downloader/runner that fetches a prebuilt 'PwnKit' binary from GitHub raw, chmod +x, runs it, and removes it shortly after. - Makefile: Builds 64-bit and 32-bit shared-object variants (PwnKit, PwnKit32). - README.md: Usage instructions including a curl|sh one-liner, manual steps, and references. Capabilities: - Local root privilege escalation on vulnerable systems. - Root command execution via optional argument (stored as CMD env var) or interactive root shell. - Basic failure detection/cleanup: a forked child watches stderr for 'pkexec --version' output indicating a likely patched target and removes created artifacts; gconv_init() also removes artifacts after privilege escalation. No C2 or remote network targeting is present; the only network activity is the optional download of the prebuilt binary/script from raw.githubusercontent.com.

This repository provides a fully operational local privilege escalation exploit for CVE-2021-4034 (PwnKit), targeting the pkexec utility in polkit on Linux systems. The main exploit script is 'zaara_pwnkit.py', which orchestrates the attack by checking system vulnerability, compiling a malicious gconv shared object payload in C, and exploiting pkexec to spawn a root shell. The exploit is adaptive, offering stealth and verbose modes, and includes automated cleanup of artifacts. The repository also contains 'phazto_helper.c', a C utility for alternative exploitation and vulnerability checking, and 'team_phazto_detector.py', a Python script for system vulnerability assessment. The exploit requires local access to the target system, Python 3.6+, and GCC. The main fingerprintable endpoint is the pkexec binary, typically located at /usr/bin/pkexec. The exploit is not part of a larger framework and is self-contained, with clear documentation and usage instructions in the README.

This repository contains a Python-based helper tool ('exploit.py') designed to automate exploitation of CVE-2021-4034 (PwnKit), a local privilege escalation vulnerability in the pkexec utility on Linux systems. The tool checks for the presence and SUID bit of /usr/bin/pkexec, then downloads a public C exploit (PwnKit.c) from GitHub or from a user-specified server, compiles it, and executes it to attempt to gain a root shell. The exploit is operational and intended for CTF or educational use, as described in the README. The only code file is 'exploit.py', which handles argument parsing, file downloads, compilation, and execution. The attack vector is local, requiring shell access to the target system. The main fingerprintable endpoints are the pkexec binary path and the URLs used to fetch the exploit code. The repository is not part of a larger framework and is focused solely on exploiting this specific vulnerability.

This repository contains a Python-based helper script (exploit.py) for exploiting the Pkexec (polkit) local privilege escalation vulnerability (CVE-2021-4034, also known as PwnKit) on Linux systems. The exploit works by downloading a C source file (PwnKit.c) from a remote URL (by default from GitHub), compiling it, and executing it to escalate privileges to root via the vulnerable /usr/bin/pkexec SUID binary. The script supports downloading the exploit source from a user-specified server as well. It checks for the presence and SUID bit of pkexec, and provides options for verifying vulnerability, specifying custom file names, and output locations. The main entry point is exploit.py, which is written in Python and orchestrates the download, compilation, and execution of the payload. The README provides background and usage instructions. The exploit is operational and provides a root shell if successful. The main fingerprintable endpoints are the pkexec binary path and the URLs used to fetch the exploit code.

This repository contains a Python3 proof-of-concept exploit for CVE-2021-4034 (PwnKit), a local privilege escalation vulnerability in Polkit's pkexec utility on Linux. The main file, cve-2021-4034.py, decompresses and writes a malicious shared object (pwn.so) to a temporary directory, sets up a fake gconv module environment, and then executes /usr/bin/pkexec with a crafted environment to trigger the vulnerability. The exploit leverages the GCONV_PATH environment variable to load the attacker's shared object, resulting in root privilege escalation. The exploit is operational and requires local access to the target system. The repository is minimal, containing only the exploit script and a README.

This repository contains a proof-of-concept (PoC) exploit for CVE-2021-4034 (PwnKit), a local privilege escalation vulnerability in polkit's pkexec utility on Linux systems. The repository consists of a README.md describing the vulnerability, affected systems (e.g., Ubuntu 16.04 LTS, Debian 10.1.0), and usage instructions, and a single C source file (exploit.c) implementing the exploit. The exploit works by creating a malicious gconv module (shared library) and manipulating environment variables so that when pkexec is executed, glibc loads the attacker's code, which escalates privileges to root and spawns a root shell. The exploit is operational as a local privilege escalation tool and does not require network access. All actions are performed locally, targeting the /usr/bin/pkexec binary and leveraging file system manipulation to achieve code execution as root.

This repository is an automation wrapper for exploiting CVE-2021-4034 (PwnKit), a local privilege escalation vulnerability in Polkit's pkexec utility on Linux. The main file, main.py, is a Python script that automates the compilation and execution of a proof-of-concept C exploit (cve-2021-4034-poc.c, which is not included in this repository). After compiling and running the exploit, the script checks if root access was obtained by running 'whoami', attempts to list the contents of the /root directory, and tries to read /root/flag.txt (a common CTF flag location). The exploit requires local access to a vulnerable Linux system with gcc installed. The repository consists of a README and the main Python automation script.

This repository contains a local privilege escalation exploit for CVE-2021-4034 (Polkit pkexec, also known as 'PwnKit'). The exploit consists of two C files: 'cve-2021-4034.c' and 'pwnkit.c'. The main exploit ('cve-2021-4034.c') sets up a crafted environment and executes '/usr/bin/pkexec' with manipulated environment variables to trigger the vulnerability. The payload ('pwnkit.c') is a shared object that, when loaded via the gconv mechanism, sets the process UID and GID to 0 (root) and spawns a root shell. The exploit is operational and provides a root shell if successful. The attack vector is local, requiring the attacker to execute code on the target system. The repository is minimal, with a README and two C source files, and is focused solely on exploiting the pkexec vulnerability on Linux systems.

This repository is a proof-of-concept exploit for CVE-2021-4034 (Polkit pkexec local privilege escalation on Linux). The structure includes two main C files: 'ataque.c' (the exploit launcher) and 'vulner.c' (a test or helper binary). The exploit works by manipulating environment variables (notably GCONV_PATH) and providing a malicious gconv module ('config/evil.so') and configuration ('config/gconv-modules'). The README provides brief setup instructions. The actual payload is to be inserted into 'evil.so', which will be executed with elevated privileges if the exploit is successful. The attack vector is local, requiring the attacker to execute code on the target system and place files in specific locations. No network endpoints are present; all fingerprintable endpoints are file paths related to the gconv mechanism.

This repository demonstrates a local privilege escalation exploit for CVE-2021-4034 (PwnKit), targeting the pkexec utility from the Polkit package on Linux systems. The exploit consists of two main C source files: 'cve-2021-4034.c', which sets up a crafted environment and invokes pkexec with a NULL argv, and 'pwnkit.c', which is compiled as a shared object to be loaded as a malicious gconv module. The exploit abuses pkexec's improper handling of environment variables and argument parsing to load the attacker's shared object, which then spawns a root shell. The repository also includes a minimal 'gconv-modules' configuration file required for the attack. The exploit is operational and provides a root shell if successful, but requires local access to a vulnerable system. No network endpoints are involved; all actions are performed locally. The code is concise and focused solely on demonstrating the vulnerability and exploitation process.

This repository contains a local privilege escalation exploit for CVE-2021-4034 (PwnKit), targeting the pkexec utility from Polkit on Linux systems. The structure includes a Makefile for building the exploit components, a main exploit launcher (cve-2021-4034.c), and a malicious shared object (pwnkit.c) compiled as pwnkit.so. The exploit works by manipulating environment variables and the GCONV_PATH mechanism to trick pkexec into loading the attacker's shared object, which then spawns a root shell. The exploit is operational and provides a working root shell on vulnerable systems. No network endpoints are involved; the attack vector is purely local. The repository is concise, with clear separation between the launcher and payload components.

This repository contains a local privilege escalation exploit for CVE-2021-4034 (commonly known as 'PwnKit'), targeting the pkexec binary from polkit on Linux systems. The exploit consists of two main C files: 'cve-2021-4034.c', which sets up the environment and executes pkexec with crafted environment variables, and 'pwnkit.c', which is compiled as a shared object (pwnkit.so) and acts as a malicious gconv module. The Makefile automates the build and setup process, including creating necessary files and directories. When executed, the exploit leverages a flaw in pkexec's handling of environment variables and gconv modules to load the attacker's shared object, which escalates privileges and spawns a root shell. The exploit is operational and provides a working root shell on vulnerable systems. No network endpoints are involved; the attack vector is purely local. The repository is well-structured for its purpose, with clear build instructions and minimal files required for exploitation.

This repository contains a working local privilege escalation exploit for CVE-2021-4034 (PwnKit), targeting the pkexec utility from Polkit on Linux systems. The main files are 'Exploit.c' and 'automated_script.c', both of which implement the same exploit logic: they create a malicious gconv shared object and manipulate environment variables and file paths to trick pkexec into loading this object. When executed, the exploit sets the user and group IDs to root and spawns a root shell, effectively granting root privileges to the attacker. The exploit is operational and requires the ability to compile and execute binaries on the target system. The README provides a brief description and references the CVE. The exploit does not target remote systems; it is a local privilege escalation technique.

This repository provides a cross-platform, operational exploit for CVE-2021-4034 (Polkit pkexec local privilege escalation, also known as 'PwnKit'). The exploit is implemented in C and consists of two main source files: 'cve-2021-4034.c' (the main exploit logic) and 'pwnkit.c' (the payload shared object). The build process (via 'build.sh' and the 'targets' file) uses Docker and musl cross-compilers to generate statically linked binaries for a wide range of architectures. The exploit works by creating a malicious gconv module (pwnkit.so), setting up the environment and file structure to trick pkexec into loading this module, and then executing pkexec with a crafted environment. When triggered, the payload sets the UID to 0 and spawns a root shell, granting the attacker root privileges. The repository also provides precompiled binaries for many architectures. The attack vector is local, requiring the attacker to execute the exploit on the target system. The main fingerprintable endpoints are the pkexec binary, the malicious gconv module files, and the shell that is spawned as root.

This repository contains a proof-of-concept (PoC) exploit for CVE-2021-4034, also known as PwnKit, a local privilege escalation vulnerability in polkit's pkexec utility on Linux systems. The repository consists of a README.md with usage instructions and a single C source file (cve-2021-4034-poc.c) implementing the exploit. The exploit works by creating a malicious GCONV module and manipulating environment variables to trick pkexec into loading the attacker's shared object, which then sets the process's user and group IDs to root and spawns a root shell. The exploit targets /usr/bin/pkexec and requires the ability to compile and execute code locally. No network endpoints are involved; the attack vector is purely local. The code is a functional PoC and demonstrates successful privilege escalation on unpatched Debian 10 and CentOS 7 systems.

This repository contains a local privilege escalation exploit for the polkit pkexec vulnerability (CVE-2021-4034, also known as PwnKit). The exploit is implemented in C (pkexec_exploit.c) and works by abusing the way pkexec handles environment variables and the gconv module loading mechanism. The exploit creates a malicious gconv shared object (payload.so) that, when loaded by pkexec, sets the process's UID and GID to 0 and spawns a root shell. The exploit sets up the necessary directory structure and files (including gconv-modules and the payload source), compiles the payload, and then executes pkexec with a crafted environment to trigger the vulnerability. The README provides references and background information but does not contain exploit code. The exploit targets Linux systems with a vulnerable version of pkexec and requires local access to execute. No network endpoints are involved; all actions are performed locally on the filesystem.

This repository contains a self-contained local privilege escalation exploit for CVE-2021-4034 (PwnKit), targeting the pkexec utility from polkit on Linux systems. The main exploit logic is implemented in 'PwnKit.c', which is compiled as a shared object and executed to exploit a flaw in pkexec's environment variable handling. The exploit creates specific directories and files to manipulate the GCONV_PATH environment variable, sets up a malicious gconv module, and then executes pkexec to trigger the vulnerability. Upon success, it spawns a root shell or executes a user-supplied command as root. The repository also includes a Bash script ('PwnKit.sh') for easy download and execution of the compiled exploit. The exploit is operational and works on unpatched Linux distributions with a vulnerable version of pkexec. No network endpoints are involved; the attack vector is purely local. The repository is well-structured, with clear build instructions and usage examples in the README.

This repository contains a working exploit for CVE-2021-4034 (PwnKit), a local privilege escalation vulnerability in polkit's pkexec utility on Linux. The exploit is implemented in C and shell script, with supporting Makefiles for building the payloads. The main exploit (cve-2021-4034.c and pwnkit.c) works by crafting a malicious environment and gconv module, causing pkexec to execute arbitrary code as root, ultimately spawning a root shell. The repository also includes a 'dry-run' mode for safely testing vulnerability without spawning a shell. The exploit is operational and provides a root shell if successful. The main targets are Linux systems with a vulnerable pkexec binary. No network endpoints are involved; the attack vector is local. The structure is clean, with clear separation between exploit, payload, and test code, and includes a one-liner shell script for easy exploitation.

This repository contains three proof-of-concept (POC) exploits for CVE-2021-4034 (PwnKit), a local privilege escalation vulnerability in polkit's pkexec utility on Linux. The files include two Python scripts (one for Python 2 and one for Python 3) and a C-based POC. All exploits work by crafting a malicious environment and shared object to exploit pkexec's handling of environment variables and the GCONV_PATH mechanism, ultimately executing code as root. The Python scripts decompress and write a malicious shared object (pwn.so), set up the required directory structure and environment variables, and invoke pkexec to trigger the vulnerability. The C POC creates a similar setup, compiles a malicious shared object, and executes pkexec with a crafted environment. The README provides usage instructions for each exploit. The main target is /usr/bin/pkexec, and the attack vector is local privilege escalation. No network endpoints are involved. The payload is a root shell, and the exploit is a functional POC, not weaponized.

This repository provides a local privilege escalation exploit for CVE-2021-4034 (Polkit pkexec). The exploit targets a logic flaw in pkexec's handling of environment variables and command-line arguments, allowing an attacker to execute arbitrary code as root. The repository contains a detailed README explaining the vulnerability, exploitation steps, and mitigation. The 'poc' directory includes: - 'exp.c': A C program that sets up the required environment variables and invokes pkexec with a crafted environment to trigger the vulnerability. - 'lib.c': The payload, compiled as a shared object, which is loaded via the GCONV_PATH hijack and spawns a root shell. - 'run.sh': A setup script that prepares the exploit environment, compiles the payload, and builds the exploit binary. The exploit is operational and provides a working root shell on vulnerable systems. It does not require remote access; it must be run locally. The exploit leverages file system artifacts (directories and files with specific names) and environment variable manipulation to hijack the gconv module loading process, resulting in arbitrary code execution as root.

This repository contains a proof-of-concept exploit for CVE-2021-4034 (PwnKit), a local privilege escalation vulnerability in polkit's pkexec utility on Linux. The repository consists of a Python script (cve-2021-4034-poc.py) that automates the exploitation process. The script creates a malicious gconv module in C, compiles it as a shared object, and sets up the necessary environment variables and files to hijack pkexec's execution flow. When pkexec is executed with the crafted environment, it loads the attacker's shared object, which sets the process's user and group IDs to root and spawns a root shell. The exploit requires local access to the target system and the ability to execute Python and gcc. The README provides usage instructions and references the original C exploit. The main target is the /usr/bin/pkexec binary on vulnerable Linux systems.

This repository contains a working local privilege escalation exploit for CVE-2021-4034 (PwnKit), targeting the pkexec utility in polkit (policykit-1) on Linux. The exploit is implemented in C and consists of two main code files: 'pwnkit.c' (the main exploit driver) and 'conversion-mod.c' (the malicious gconv shared object). The Makefile automates the setup, compilation, and cleanup of the exploit environment, including the creation of necessary directories and configuration files for the gconv module. The Dockerfile provides a reproducible environment for testing the exploit against a vulnerable version of polkit. The exploit works by manipulating environment variables and the GCONV_PATH to trick pkexec into loading a malicious gconv module, which then sets the process UID and GID to 0 and spawns a root shell. The README provides usage instructions and references to further resources. No network endpoints are involved; the attack vector is purely local. The exploit is operational and provides a root shell if successful.